If the “http auth” shown in the screenshot refers to NIP-98, then it’s very unlikely those requests happened with no user action at all. In Jumble, HTTP auth is only required when uploading images or requesting translation services. Also, the screenshot shows that a reaction was made.

As for NIP-42 auth: Jumble only requests signing when it cannot fetch events without authentication. When you’re browsing the following feed, it is possible to see multiple auth signing requests. If other clients don’t trigger the same behavior, it’s reasonable to suspect that they either don’t support the outbox model or are not fetching a complete dataset.

Some people argue that clients should always prompt the user before performing NIP-42 auth, and allow users to block auth to specific relays to avoid potential privacy leaks. Personally, I think this logic belongs in the signer, not the client. Otherwise users end up having to approve things twice, and approve things for every client.

Based on my own experience using many different clients, I can say confidently that Jumble is actually quite conservative when it comes to signing requests. In my signer setup, only get public key and NIP-42 auth are allowed without prompting, and with that configuration, most other clients are almost unusable.